From 1a35292750e4e57274a9ad7e7ca29f3d6317cbef Mon Sep 17 00:00:00 2001 From: Rob Winch Date: Wed, 4 Feb 2015 15:57:45 -0600 Subject: [PATCH] SEC-2791: AbstractRememberMeServices sets the version If the maxAge < 1 then the version must be 1 otherwise browsers ignore the value. --- .../AbstractRememberMeServices.java | 4 ++ .../AbstractRememberMeServicesTests.java | 40 +++++++++++++++++++ 2 files changed, 44 insertions(+) diff --git a/web/src/main/java/org/springframework/security/web/authentication/rememberme/AbstractRememberMeServices.java b/web/src/main/java/org/springframework/security/web/authentication/rememberme/AbstractRememberMeServices.java index 2950d39292..8669a34db3 100644 --- a/web/src/main/java/org/springframework/security/web/authentication/rememberme/AbstractRememberMeServices.java +++ b/web/src/main/java/org/springframework/security/web/authentication/rememberme/AbstractRememberMeServices.java @@ -341,6 +341,10 @@ public abstract class AbstractRememberMeServices implements RememberMeServices, cookie.setMaxAge(maxAge); cookie.setPath(getCookiePath(request)); + if(maxAge < 1) { + cookie.setVersion(1); + } + if (useSecureCookie == null) { cookie.setSecure(request.isSecure()); } else { diff --git a/web/src/test/java/org/springframework/security/web/authentication/rememberme/AbstractRememberMeServicesTests.java b/web/src/test/java/org/springframework/security/web/authentication/rememberme/AbstractRememberMeServicesTests.java index 34aeb5011e..0b53b4ce13 100644 --- a/web/src/test/java/org/springframework/security/web/authentication/rememberme/AbstractRememberMeServicesTests.java +++ b/web/src/test/java/org/springframework/security/web/authentication/rememberme/AbstractRememberMeServicesTests.java @@ -1,5 +1,6 @@ package org.springframework.security.web.authentication.rememberme; +import static org.fest.assertions.Assertions.*; import static org.powermock.api.mockito.PowerMockito.*; import static org.junit.Assert.assertEquals; import static org.junit.Assert.assertFalse; @@ -353,6 +354,45 @@ public class AbstractRememberMeServicesTests { assertNull(ReflectionTestUtils.getField(services, "setHttpOnlyMethod")); } + // SEC-2791 + @Test + public void setCookieMaxAge0VersionSet() { + MockRememberMeServices services = new MockRememberMeServices(); + MockHttpServletRequest request = new MockHttpServletRequest(); + MockHttpServletResponse response = new MockHttpServletResponse(); + + services.setCookie(new String[] {"value"}, 0, request, response); + + Cookie cookie = response.getCookie(AbstractRememberMeServices.SPRING_SECURITY_REMEMBER_ME_COOKIE_KEY); + assertThat(cookie.getVersion()).isEqualTo(1); + } + + // SEC-2791 + @Test + public void setCookieMaxAgeNegativeVersionSet() { + MockRememberMeServices services = new MockRememberMeServices(); + MockHttpServletRequest request = new MockHttpServletRequest(); + MockHttpServletResponse response = new MockHttpServletResponse(); + + services.setCookie(new String[] {"value"}, -1, request, response); + + Cookie cookie = response.getCookie(AbstractRememberMeServices.SPRING_SECURITY_REMEMBER_ME_COOKIE_KEY); + assertThat(cookie.getVersion()).isEqualTo(1); + } + + // SEC-2791 + @Test + public void setCookieMaxAge1VersionSet() { + MockRememberMeServices services = new MockRememberMeServices(); + MockHttpServletRequest request = new MockHttpServletRequest(); + MockHttpServletResponse response = new MockHttpServletResponse(); + + services.setCookie(new String[] {"value"}, 1, request, response); + + Cookie cookie = response.getCookie(AbstractRememberMeServices.SPRING_SECURITY_REMEMBER_ME_COOKIE_KEY); + assertThat(cookie.getVersion()).isEqualTo(0); + } + private Cookie[] createLoginCookie(String cookieToken) { MockRememberMeServices services = new MockRememberMeServices(uds); Cookie cookie = new Cookie(AbstractRememberMeServices.SPRING_SECURITY_REMEMBER_ME_COOKIE_KEY,